Verification & Validation of a Satellite Fault Detection and Isolation Scheme Based on Sliding-Mode Observers Andrés Marcos + ; Halim Alwi, Chris Edwards * ; Alex Falcoz h ; Eric Bornschlegl § + Deimos Space, Madrid, 28760, Spain (e-mail: andres.marcos@ deimos-space.com) * University of Leicester, Leicester, LE1 7RH, United Kingdom (e-mail: {ha18, ce14}@ leicester.ac.uk) h EADS-Astrium SAS, Toulouse, France (e-mail: Alexandre.FALCOZ@astrium.eads.net) § European Space Agency (ESA-ESTEC), Noordwijk, 2200 AG, The Netherlands (e-mail: Eric.Bornschlegl@esa.int) Abstract: In this article, the verification and validation (V&V) of a fault detection and isolation scheme based on sliding mode observer residual evaluators and threshold-based residual analysis of gyro and thruster faults for the Mars EXpress (MEX) satellite is presented. The results were part of a European Space Agency project with the goal of examining the potential applicability of modern model-based FDI techniques for on-board satellite deployment. The V&V campaign, consisting of firstly a set of specified fault simulations and secondly a Monte Carlo campaign, has been performed using an industrial-level functional engineering simulator developed around a high-fidelity model of the MEX satellite operating during the Sun Acquisition Mode (SAM), which includes up to 6 different controller mode changes. The results show the good performance and robustness of the FDI scheme throughout the SAM phase. 1. Introduction Fault detection and isolation has increased in importance during the last few decades as the level of autonomy expected in engineering systems and devices has increased. Many different methodologies have been considered and developed – often arising from the application of concepts originating in the field of control theory. One application area for these developments has been aerospace systems. In satellite systems there is an implicit requirement to operate with minimal sensor and controller hardware. However satellite deployment is expensive and high risk – once deployed, if a fault occurs there is no recourse, since it is usually prohibitively expensive to XQGHUWDNH D VDWHOOLWH FDSWXUH¶ DQG UHSDLU PLVVLRQ 6DWHOOLWH autonomy, therefore invariably requires a Fault Detection and Isolation (FDI) scheme to detect malfunctions. The results presented in this paper are part of a European Space Agency (ESA) project with the goal of examining the potential applicability of modern model-based FDI techniques to on-board satellite deployment, in the present case for the Mars Express during the Sun Acquisition Mode phase. The FDI objective is to distinguish between actuator and sensor faults during this phase, but the main objective of the study is to show the applicability of modern model-based FDI techniques to the industrial satellite process. Thus, efforts are made to show the underlying methodology and transparency (including tuning and implementation aspects) of the proposed FDI design process. 2. Reference Mission, System & Objectives The selected study case refers to the Mars EXpress (MEX) during the Sun Acquisition Mode (SAM) phase [1, 2]. The model represents classical satellite dynamics with flexible modes. There are no nonlinearities except for the gyroscopic coupling terms and the uncertainties are classically low on the inertias, but relatively high on the flexible mode parameters (frequency, damping). The available on-board sensing suite is composed of an inertial measurement unit (SIRU) and a Sun Acquisition Sensor (SAS) set. The gyro configuration within the SIRU is a 4-axis configuration, while the SAS is redundant and provides Sun direction (2-axis angle information). The actuation system is composed of four tilted thrusters, fully redundant, that provide 3-axis torque capability for the AOCS. Reaction wheels are available on the spacecraft in nominal mode but are not used during the SAM. In any case, momentum is transferred from the wheel to the body at the start of the acquisition due to friction torque. The main objectives of the ESA-ESTEC study are summarized as follows: x An advanced technique is required that can deal with thrusters and gyro FDI problems in the presence of time varying dynamics, controller mode changes, noise and uncertainties. x The FDI objectives are to detect fault occurrence and discriminate whether it belongs to the thrusters (opened or closed faults) or the gyro sensors (dead, frozen, excessive noise or excessive bias faults). 8th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes (SAFEPROCESS) August 29-31, 2012. Mexico City, Mexico 978-3-902823-09-0/12/$20.00 © 2012 IFAC 277 10.3182/20120829-3-MX-2028.00167